Thousands of patients impacted by ransomware attack at medical billing company

Following a ransomware attack at a medical billing company, thousands of patients are being warned that their highly sensitive medical information and personal details were amongst the breached data.

Michigan-based Wolverine Solutions Group (WSG) says that it discovered its systems had suffered a security breach on September 25 last year. Malware had infected the company’s computers and encrypted “many” of the firm’s records, rendering them inaccessible.

One week later WSG called in a team of external forensic security experts who attempted to recover the encrypted data.

According to WSG, its critical operations were back up and running by November 5, 2018 — over 40 days after the ransomware attack was initially detected.

However, work has continued in the months since to identify those individuals whose healthcare clients were affected. The company has mailed out a number of notifications to affected individuals in December, January and February, and says it will sent out more this month.

The good news is that no evidence has been found that the sensitive data was exfiltrated from WSG’s servers. As with most ransomware cases, the risk to information is primarily that it has been encrypted with a key only known to the attackers and made inaccessible rather than stolen for the purposes of identity theft and fraud.

Of course, it is possible for organizations to recover without paying any ransom to the criminals if they have maintained secure, regular backups of the data. Sadly, it’s still all too common to discover that backups have not been maintained or that the backups themselves have also been corrupted by the attack.

Even though there is no evidence that unauthorized parties stole the data, WSG says that the nature of the affected files (some of which contained individual patient information such as names, addresses, dates of birth, Social Security Numbers, insurance contract details, phone numbers and highly sensitive medical information) means that it is contacting all impacted individuals.

NOCHS was first warned by WSG that a data breach had occurred on December 10, 2018, 11 weeks after the ransomware infection was first detected. At that point, however, WSG was unable to confirm if any of NOCHS patients were impacted at the time. It took until February 5, 2019 for WSG to confirm that 15,000 NOCHS patient records were among the data that had been struck by the ransomware.

As well as offering 12 months’ worth of identity protection, WSG is making a number of recommendations for affected individuals including:

Add a fraud alert to their file at the three major credit reporting agencies: Equifax, Experian, and TransUnion.

Remove their names from mailing lists of pre-approved offers of credit for approximately six months.

Keep an eye open for unexpected bills, credit-card charges and bank account transactions.

Contact local police if you know or suspect you are a victim of identity theft.

As we have discussed before, ransomware attacks against healthcare providers are sadly nothing new.